Post

DamCTF 2025: Breach

Posted
Preview Image
By Eduardo Margarido
5 min read
DamCTF 2025: Breach

This write-up contains my solution to the misc/breach challenge in the CTF event hosted by OSUSEC, DamCTF 2025.

The challenge is cyberpunk themed and contains a breach protocol interface similar to the game.

Initial Analysis

Description

Author: tlop

hack the mainframe, choom. eddies for days.

ssh chal@breach.chals.damctf.xyz

pw: pw: chalworksnow

How the minigame works

Since this challenge is based on the game, let’s first understand how the minigame works:

Breach Interface inside Cyberpunk

If you’ve ever played the game, the interface should feel familiar, but for those who didn’t, here are the rules:

  • You start being able to move horizontally;
  • You can’t move diagonally;
  • Every time you choose a value to add to the current buffer, the axis changes;
  • You have a limited number of inputs (4 in this case);
  • Your goal is to upload the correct sequence (shown on the right in this case).

The solution to this particular problem would be uploading 55 55 BD 55, which we can achieve by doing these moves, where the number is the coordinate in the matrix:

  1. [1,1]
  2. [5,1]
  3. [5,2]
  4. [3,2]

The challenge itself

For the challenge, we are provided with a binary to test locally instead of connecting to the server via ssh, and upon executing it we see this similar interface:

Breach Interface Challenge

Breaking down the information we can gather from the interface:

  • The sequences to upload are at the top instead of the side;
  • The axis we can move in is shown in the DEBUG entry and is highlighted in blue;
  • The value we’re currently hovering is highlighted in red;
  • The controls are at the bottom;
  • The grid is bigger than the in game one;
  • We don’t have a buffer limitation like the game.

Since the game version can be solved by sending the correct sequence, we can try sending the first sequence shown at the top and see if that does anything interesting.

I’ll be adding images with the path I used since the grid is a lot bigger, making a coordinate system harder to follow.

To send the first sequence we can follow this path:

Inputting "63 66 20 3b 74"

Which would give us this output:

Result of "63 66 20 3b 74"

Now this didn’t really solve or win us anything like the game, but it tells us that the challenge takes our buffer sequence and somehow translates it and runs it in bash.

I didn’t find any valid solution to the second sequence but it would theoretically give us the same information we got from the first one.

Figuring out the system

In order for us to get the flag we have to understand how our breach sequences are being interpreted. Through knowledge (or an LLM) we can figure out that the values we can input into the buffer are the hex representations of ascii characters. To confirm this we can input the first sequence into a converter (like this one) and it’ll tell us that 63 66 20 3b 74 translates to cf ;t, matching with the error we got from the binary.

Analyzing our matrix once again we find these unique values:

  • 20 - " "
  • 2d - "-"
  • 3b - ";"
  • 6c - "l"
  • 52 - "R"
  • 61 - "a"
  • 63 - "c"
  • 64 - "d"
  • 66 - "f"
  • 67 - "g"
  • 73 - "s"
  • 74 - "t"

Which means we can build bash commands with these (as long as we can build the sequence). Starting with something simple as a proof of concept locally, we can try to run ls (6C 73)

Output of ls

LS worked locally! we can see the breach binary and a dummy flag.txt file. Time to test it on remote!

Real netrunning

In this phase we can start testing inputs on remote to solve the challenge.

Finding the flag file

Since we want to know if something is a directory is a file or a directory, we can run ls -fl (6c 73 20 2d 66 6c):

Path of "ls -fl"

This would get us this on remote:

1
2
3
4
5
6
7
8

drwxr-xr-x. 1 root root 18 May 10 07:44 .
drwxr-xr-x. 1 root root 50 May 10 09:36 ..
drwxr-xr-x. 1 root root 18 May 10 07:44 altf
drwxr-xr-x. 2 root root  6 May 10 07:44 alft
drwxr-xr-x. 2 root root  6 May 10 07:44 atfl
drwxr-xr-x. 2 root root  6 May 10 07:44 falt
drwxr-xr-x. 2 root root  6 May 10 07:44 flat
drwxr-xr-x. 2 root root  6 May 10 07:44 latf

ls -l would work with one less input but there is no 6c from the 2d position we’re in

There are lots of folders, so we’ll try to go into them and run ls with this input cd altf;ls -l (63 64 20 61 6c 74 66 3b 6c 73 20 2d 6c)

Path of "cd altf;ls -l"

Running this we get confirmation that there is a flag file in the first folder, so we just have to read it now!

Result of "cd altf;ls -l

To read the file we have to use something like cd altf;cat flag (63 64 20 61 6C 74 66 3B 63 61 74 20 66 6C 61 67).

The input is quite long, so let’s plan our approach in phases, starting from the cat flag (63 61 74 20 66 6c 61 67) part:

Path of "cat flag"

The two bubbles around 3b are both entry points we can use to build a valid buffer input for cat flag

With this we can now take our cd altf; approach from the previous command, but we’ll notice there isn’t a good way to reach the 3b on the right of the matrix.

To solve this, we can take into account the way commands are built in bash noting a few useful techniques for building inputs that will allow us to solve this, such as using 20 twice to stay in the same axis, and using random values between 3b as padding so we can chain the commands.

Solution

With the previous technique mentioned, we can use the command cd altf;af;cat flag (63 64 20 61 6c 74 66 3b 61 66 3b 63 61 74 20 66 6c 61 67) to read the flag!

Path of "cd altf;af;cat flag"

Using this path on the remote gives us:

Result of "cd altf;af;cat flag

We snagged the flag choom, time to fence it quick and get enough eddies for some fresh chrome!

References

CTF, DamCTF
netrunning puzzle command execution
This post is licensed under CC BY 4.0 by the author.